PF Firewalling small tip

I was trying to block HTTP access of one of my users, I have a SQUID Cache server/Gateway in my network bottleneck and I just use one of Ethernet ports of that server just for catching HTTP connections and cache contents, I also installed a PF as Firewall. As you may know with PF is very easy to block any kind of access inbound or outbound, I used following command to not to let my user be able to initiate HTTP requests by editting /etc/pf.conf:

block in on bge0 proto tcp from 10.0.0.1 to any port 80

But I experienced a strange thing, the client was able to use HTTP, I also checked my SQIUID, all user queries were passing through SQUID proxy, the reason was because PF redirects packets before any kind of filtering!

IMPORTANT: PF redirects packets before any kind of filtering

So then, I edited /etc/pf.conf like this:

table { 10.0.0.0/8, !10.0.0.1 }

.

.

.

rdr on bge0 proto tcp from to any port 80 -> 127.0.0.1 port 3128

.

.

.

block in on bge0 proto tcp from 10.0.0.1 to any port 80

after configuration following commands reload the new configuration:

$pfctl -d -k localhost

$pfctl -e -f /etc/pf.conf

Now my user with a static 10.0.0.1 is not able to use HTTP, that was only a test! nobody want to limit HTTP access for a user!